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VIRTUAL PRIVATE NETWORK SER VICE PROVIDER 
FOR ASYNCHRONOUS TRANSFER MODE NETWORK 

Teclmical Field 

The invention relates generally to asynchronous transfer mode ("ATM") 
networks and virtual private networks CVPW*), such as those offered by MCI 
and Sprint, and, more particularly, to a meHiod of using a VPN to transfer 
data over a data network, with third-party billing. 
Backgroimd of the Invention 

Telephone service providors offer tbird-parly billing. For example, local 
and long distance telephone companies offer calling cards for third party 
billing. 

VPNs exist to provide the sense of a private network among a 
company's locations. The lines/trunks of a VPN are actually shared among 
several companies, to reduce costs, yet to each company the VPN appears to 
be that company's own private network. However, a user at a remote data 
terminal, such as a portable computer in a hotel room, can not immediately 
charge his company for the access time to a data net, such as the Internet. 
Instead, his access time is charged to his hotel room, and so he must pay the 
inflated rates that hotels charge for phone service. 

What is needed is a VPN service provider that offers remote access for 
users belonging to a VPN, user authorizations to prevent dehnquent access 
into the VPN, and convenient third-party billing. 
Summary of the Invention 

The present invention, accordin^y, provides a system and method for 
using a VPN service provider to transfer data over a data network to a final 
destination, with third-party billing. The method comprises the steps of. 
prompting the user at a data terminal to select a destination, password, and 
call type; selecting a VPN through the data network; giving an encryption key 
to the user, and then prompting the user for a password and a user 
identification; verifying the password, and providing an authorization cod to 
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the Bsesr; smd afflowiag user to transfer th data throiogfe the data jnetwork 
to the final destination, using the authorization code. 

In another feature of the invention, the method further comprises 
negotiating for more bandwidth for the user, and including within the 
aTa!£]ho2dsa'&a<DB. c(Dde si gsrant of addita(CMaI ]baimd!wi<dMiL 

Iel amothfisLer featore of the iswention, tlhie ssne^ilhiod ferftheor corapiris©s 
eneryptrng the user's password, and sending the iiaser identification and the 
©BucEypted password to the VPN seic^ce prouder. 

In smoiikej? feafeaim of th© isweja^on, the mefefinod feirther comprfses a 
@t®p (Off seisidiinig a set°taip message to Ibhe data imetwoirk. 

In another feature of the invention, the method further comprises a 
step of the VPN service provider decr3Tpting the encrypted password. 

A technical advantage achieved with the invention is that it shifts or 
defers costs from an end user to a bulk piirchaser of data network services. 
Another technical advantage achieved with the invention is that it permits 
end users mobility while attaining a virtual appearance on a corporate 
intranet. 

Brief Description of the Drawings 

Pig. 1 is a system block diagram of a VPN service provider of the 
present invention. 

Pig. 2 is a flow chart depicting the method of the present invention, as 
implemeinitfc©d hy application software on a loiser termSnal. 

Fig- 3 is the imtial screen display of the user interface of the 
application software. 

Figs. 4A and 4B are call flow diagrams, illustrating the preferred 
sequence of steps of the method of the present invention. 

Figs. 5A, 5B, 5C, 5D, 5E, and 5F comprise a flow chart depicting the 
method of the present invention, as implemented by switching control point 
so^?57are. 
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D scription of thePreferr d Emliodiinent 

In Fig. 1, the VPN service provider system of the present invention is 
designated generaUy by a reference numeral 10. the VPN service provider 
system 10 includes a VPN 12. The VPN 12 may be a corporate, government, 
aa80ciati<m, or other oiganization's telephone/data Kne ^netwoik. The VPN 
service provider system 10 also includes access lines 13 from the VPN 12 to a 
data network 14, such as the Internet, or an ATM network. The VPN service 
provider system 10 also includes access fines 16 from the data network 14 to a 
long distance phone company 18, such as AT&T. MCI, or Sprint. The VPN 
service provider system 10 also inchides access lines 20 from the data network 
14 to a called party 22, such as, for example, American Express reservations 
service. The VPN service provider system 10 also includes access lines 24 
from the data network 14 to a remote user terminal 26, such as a portable 
computer in a hotel room. The user terminal 26 includes user application 
software 28, which provides the interface for the user to enter the number to 
be called, the user identification niunber, and the user's authorization code. 
The VPN service provider system 10 also includes VPN service provider 
software 30, located in a switching control point (SCP) device 32, which, in the 
preferred embodiment may be physically located anywhere. The SCP 32 
connects to the data network 14 via access Unes 36. One possible physical 
location for the SCP 32 is on the premises of a local phone company central 
switch building 34. However, even when located within the building 34, the 
SCP 32 connects to the local phone company switches via the data network 
14. The local phone company switches connect to the data network 14 via 
access lines 38. 

In an alternate embodiment, the VPN service provider software 30 and 
the SCP device 32 may be located on the premises of an independent provider 
of local phone service, or on the premises of an independent VPN service 
provider. 
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Refeimng mow to Pig. .2, the appKcataoia software 28 begins the data 
transfer process in step 50. In step 52, the user is presented with a screen 
display. 

Referrixsg laow to Pig. 3, a screen display 100 displays the feUowing 
ijofoinmafcaoiQi ireqpssts: whetter the call is a direct caM 102 or a call 104, 

the ummher the tuaser desfees to call lOS, the YPN mer ID 108, aioid the luiser 
password 110. The laser is also presented with the option to make the call 
112, oir to qmt 114. 

Refeiirramg Ilsack to Fig. 2, in stop* §4 the oser terminal sends to the SCP 
32 tlhi© SnfoOTnaM^n captomred through the graphical loiser interface C^GUI^ fin 
step 52 within a nser network interface (^TJNF) setup message. In step 56 the 
user termizial 2S waits for a connect message from the SCP 32. In step 58 the 
user terminal 26 determines if a connection was made. If no connection was 
made, then in step 60 the user application software 28 displays an error 
message to the user, and retiims to step 50 to begin again the data transfer 
process. 

If a connection was made, then in step 62 the user terminal 26 sends 
the VPN user ID to the SCP 32. In step 64 the user terminal 26 waits for an 
encryption key from the SCP 32. In step 66, having received the encryption 
key from the SCP 32, the user application software 28 encrypts the user^s 
password, and smds it to the SCP 32. In step 68 the user terminal 26 waits 
for sOT&®BfticfflM(G)S3i of the Tmser. In step 70 the Bser application software 28 
detemiiines if the SCP 32 authorises the user to make the call. 

If the user is not authorized, then in step 72 the user terminal 26 
displays an error message, terminates the connection, blanks the screen 
display 100 ^ and returns to step 50 to begin again the data transfer process. 
If the user is authorized, then in step 74 the VPN service provider software 30 
sets up the bilMsng, and authorizes it. In step 76 the user terminal 26 sends a 
^^eleaise^p meaamfiBg to terminate or disconnect the connectionp to the SCP 32. 
In step 78 the imser terminal 26 sends a setup message to the number listed by 

- 4- 



BNSDOCID:<WO 9a27783A1 I > 



wo 98/27783 



PCT/IB97/01563 



the user as the "number to call", that is, to the final destination. In step 80 
the user terminal 26 waits for a connection. In step 82 the user terminal 26 
determines if a comiection was made. 

If a connection to the fiTial destination was not made, then the user 
application software 28 returns to step 72, in which step Hie user terminal 26 
displays an error message, terminates the connection, blanks the screen 
display 100, and returns to step 50 to begin again the data transfer process. 
If a connection to the final destination was made, then in step 84 the user 
terminal 26 exchanges user data, services, and/or value added or user specific 
applications with the computer at the address, that is, the telephone nmnber, 
of the final destination. In step 86 the user selects the option presented to 
him to release, or terminate, the call. In step 88 the user terminal 26 sends a 
release message to the final destination. In step 90 the data network 14 
sends billing information to the SCP 32. In step 92 the application software 
28 ends the data transfer process. 

Fig. 4A and Fig. 4B are call flow diagrams, showing the sequence of 
messages in the method of the preferred embodiment. These diagrams 
present the same method as the flow chart of Fig. 2. The horizontal arrows 
represent the messages sent and received. The vertical lines represent the 
various devices involved in sending and receiving the messages. For examp le, 
the top 1^ arrow in Fig. 4A represents a message sent tcom the user terminal 
26, labeled "Madntosh" in Fig.4A, to an interface with a public network. The 
user terminal 26 can be any brand of a work station computer, a desktop 
computer, a laptop computer, or even a notebook computer. The interface 
could be any interface, but in the example of Fig. 4A and Fig. 4B, the 
interface is imagined to be at a hotel, where a business traveler is using the 
method of the present invention. Thus, the interfSace is labeled "Hotel ATM 
Interfece", which is not shown in Fig. 1. The vertical line labeled "Public 
ATM Network* is the same as the data network 14 in Pig. 1. The vertical line 
labeled "Moe's VPN Service" represents the VPN service provider software 30 
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witMn the SCF 32. The vertical Ime laibeled ^Tmvel ATM Iimtori&ice^ is not 
shown in Fig. 1, but is located between the called party 22 and the data 
network 14. The vertical line labeled *T[*ravel Service" is one example of the 
called party 22 shown in Pig. 1. In the example of Fig. 4A and Fig. 4B, the 
buHsm®©© te?avell(sar is imagined to be Msmg the inowstibiGid of piresent invention 
to ©on^ct a tesi'^el seirvice to snsike iresorvatioMis for Ms Bsi<ssfc sirMne iSlaglhit. In 
Figs. 4A and 4B the designation ^'Adk^ represents '^acknowledge'*, and the 
designataon ^^Cmp*' represents ^^complete**. 

Hefermag now to Fig. 5,^ the Y¥N service porovider'soi^ware 30 begins 
th© datsi transfer process in step 300 by waiting &r an event. The event it 
waits for is a setup message on a signaling port of the SCP 32, to be received 
from the user terminal 26. In step 302, having monitored the signaUng ports, 
and the SCP 32 having received a setup message, the VPN service provider 
software 30 assigns a call condense block ("CCB") to the setup message, based 
on a call reference nxmiber. The CCB is a software data structure for tracking 
resources associated with the call. The call reference number is a number, 
internal to the SCP, for tracking calls. In step 304 the VPN service provider 
software 30 compiles the connect message. In step 306 the VPN service 
provider software 30 sends a connect message to the calling address, that is, 
the hotel room from which the user is calling. In step 308 the VPN service 
provider software 30 condenses, that is, it remains in a wait state for that 
(caM. 

Heferrmg now to Fig. SB, in step 310 the VPN service provider software 
30 waits for an event by monitoring the signaling ports of the SCP 32. After 
the SCP 32 receives a connect acknowledge message from the user terminal 
26, then in step 312 the VPN service provider soSrpyare 30 accesses the CCB, 
based on the call reference number. In step 314 the VPN service provider 
software 30 condenses. 

E^errmg now to Fig. 5C, in step 316 the VFN service provider software 
30 waits for dialog on a data port of the SCP 32. After the SCP 32 receives a 
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VPN ID on a data port, the VPN service provider s ftware 30 verifies the VPN 
ID in step 318. In step 320 the VPN service provider software 30 determines 
if the VPN ID is valid. If the VPN ID is not vaiid^ then in step 322 the SCP 
32 sends a reject message over an assigned switch virtual circuit ("SVC"). The 
SVC is a channel over the data network 14, In step 324 the VPN service 
provider software 30 waits far dialog. In step 326, because the VPN ID is 
valid, the VPN service provider software 30 assigns an encryption key to the 
user terminal 26, in step 328 sends the encryption key over the assigned SVC 
to the user terminal 26, and in step 330 waits for dialog. 

Referring now to Pig. 5D, in step 332 the VPN service provider software 
30 waits for dialog. When the SCP 32 receives the encrypted password from 
the \iser terminal 26 at a data port, then in step 334 the VPN service provider 
software 30 verifies the password, and determines in step 336 if the password 
is valid. If the password is not valid, then in step 338 the SCP 32 sends a 
reject message over the assigned SVC to the user terminal, and in step 340 
waits for dialog. If the password is valid, then in step 342 the VPN service 
provider software 30 assigns an authorization token to the user terminal 26, 
in step 344 sends the token over an assigned SVC to the user terminal 26, 
and in step 346 waits for dialog. 

Referring now to Fig. 5E, in step 348 the VPN service provider software 
30 waits for an event. When the VPN service provider software 30 senses 
that the SCP 32 has received on a signaling port a release message from the 
user terminal 26, then in step 350 the VPN service provider soft^ware 30 
accesses the CCB, based on the call reference number of the user terminal 26, 
in step 352 compiles a release complete message, in step 354 sends a release 
complete message to the user terminal 26, and in step 356 condenses. 

Referring now to Fig. 5F, in step 358 the VPN service provider software 
30 waits for an event. When the VPN service provider software 30 senses 
that the SCP 32 has received on a signaling port a third-party billing setup 
message from the user terminal 26, then in step 360 the VPN service provider 
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software 30 verifies the tok n just received fi: m the user terminal 26, to 
determine, in step 362, if it is the same token that the VPN service provider 
software 30 sent to the user terminal 26 in step 344, If the token is not valid, 
then in step 364 the SCP 32 sends a release message to the terminal 26, and 
in step 366 condenses. If the token is valid, then in step 368 the SCP 32 
sends a modified third-party billing setup message to the data network 14, 
and in step 370 condenses. 

Although an illustrative embodiment of the invention has been shown 
and described, other modifications, changes, and substitutions are intended in 
the foregoing disclosure. Accordingly, it is appropriate that the appended 
claims be construed broadly and in a manner consistent with the scope of the 
invention. 
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WHAT IS CLAIMED IS: 

1. A computerized method of a virtual private network service 
provider with third party bilUng, using a virtual private network to transfer 
data over a data network to a final destination, the method comprising the 
steps of: 

a. prompting the user at a data terminal to select a destination, 
password, and call type; 

b. selecting a virtual private network through the data network; 

c. giving an encryption key to the user, and then prompting the 
user for a password and a user identification; 

d. verifying the password, and providing an authorization code to 
the user; and 

e. allowing the user to transfer the data through the data network 
to the final destination, using the authorization code. 

2. The method of claim 1, wherein step (d) further comprises 
negotiating for more bandwidth for the user, and including within the 
authorization code a grant of additional bandwidth. 

3. The method of claim 2, wherein step (c) further comprises 
encrypting the user's password, and sending the user identification and the 
encrypted password to the virtual private network service provider. 

4. The method of claim 3, finrtlier comprising, after step (a), the step 
of sending a set-up message to the data network. 

5. The method of claim 4, further comprising, after step (c), the step 
of the virtual private network service provider decrypting the encrypted 
password. 

6. An apparatus for providing a datalink connection firom a user 
terminal to a data network and to a virtual private network, with third party 

billing, comprising: 

a. an interface between the user terminal and the data network; 

-9- 
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b. a switching control point device conn cted to the data network, 
the switching control point device connected to a computer; and 

c. a computer-readable medium encoded with a method of using the 
virtual private network and the data network, with third party 
hflSing, &e computer-readable medium accessible hy the 

7. The apparatus of claim 6, wherein the method comprises 
negotiating for more bandwidth for the user, and indudixxg within an 
authorization code a grant of additional bandwidth. 

8. The apparatus of daim 7, wh^ein the method further comprises 
encrypting a mer^s password, and temporarily storing the user identification 
and the encrypted password. 

9. The apparatus of daim 8, wherein the method further comprises 
sending a set-up message to the data network. 

10. The apparatus of claim 9, wherein the method further comprises 
deraypting the encrypted password. 

11. A computer-readable meditun encoded with a method of using a 
virtual private network, with third party billing, the method comprising the 
steps of: 

a. prompting the user at a data terminal to select a destination, 
password, and call type; 

b. selectang a virtual private network through the data network; 

c. giving an enaryption key to the user, and then prompting the 
niiLser for a password and a user identiScation; 

d. veri^ring the password, and providing an authorization code to 
the user; and 

e. allowing the user to transfer the data through the data network 
to the final destination, using the authorization code. 
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12. The computer-readable medium of claim 11 wherein step (d) 
further comprises negotiating for more bandwidth for the user, and including 
within the authorization code a grant of additional bandwidth. 

13. The computer-readable medirun of claim 12 wherein step (c) 
further comprises encrypting the user's password, and sending the user 
identification and the encrypted password to the virtual private network 
service provider. 

14. The computer-readable medium of daim 13 further comprising, 
after step (a), the step of sending a set-up message to the data network. 

15. The computer-readable medium of daim 14 further comp risin g, 
after step (c), the step of the virtual private network service provider 
decrypting the encrypted password. 

16. An apparatus for providing a datalink connection from a user 
terminal to a data network and to a virtual private network, with third party 
billing, comprising: 

a. means for prompting a user at the data terminal to select a 
destination, password, and call type; 

b. means for selecting the virtual private network through the data 
network; 

c. means for giving an encryption key to the user, and then 
prompting the user for a password and a tiser identification; 

d. means for verifying the password, and providing an authorization 
code to the user; and 

e. means for allowing the user to transfer data through the data 
network to a final destination, using the authorization code. 

17, The apparatus of daim 16, fiirther comprising means for 
negotiating for more bandwidth for the user, and including within the 
authorization code a grant of additional bandwidth. 
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18. The apparatus of claim 17, further comprising means for 
encrypting the user's password, and sending the user identification and the 
encrypted password to the virtual private network service provider. 

19. The apparatus of claim 18, further comprising means for sending 
a set-up message to the data network. 

20. The apparatus of claim 19, further comprising means for 
decrypting the encrsnpted password. 
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